From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1240872-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 502401382C5
	for <garchives@archives.gentoo.org>; Mon, 11 Jan 2021 01:27:12 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id BCB55E0AD3;
	Mon, 11 Jan 2021 01:27:10 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 9927CE0AD3
	for <gentoo-commits@lists.gentoo.org>; Mon, 11 Jan 2021 01:27:10 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 8839634108D
	for <gentoo-commits@lists.gentoo.org>; Mon, 11 Jan 2021 01:27:09 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id BCE7F4A0
	for <gentoo-commits@lists.gentoo.org>; Mon, 11 Jan 2021 01:27:06 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1610315537.6069aa838b4f8dc5dccc14a0487eeb04916cc50e.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/xserver.if policy/modules/system/userdomain.if
X-VCS-Directories: policy/modules/services/ policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 6069aa838b4f8dc5dccc14a0487eeb04916cc50e
X-VCS-Branch: master
Date: Mon, 11 Jan 2021 01:27:06 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 7e9371ef-13b6-4979-84b1-2ac0c11fadcc
X-Archives-Hash: f99ed4d7c39293b34eb89b555d039762

commit:     6069aa838b4f8dc5dccc14a0487eeb04916cc50e
Author:     0xC0ncord <me <AT> concord <DOT> sh>
AuthorDate: Mon Nov 23 20:22:59 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6069aa83

userdomain, xserver: move xdg rules to userdom_xdg_user_template

xdg rules are normally set in xserver. But, if a modular policy is being
used and the xserver module is not present, the required rules for users
to be able to access xdg content are never created and thus these files
and directories cannot be interacted with by users. This change adds a
new template that can be called to grant these privileges to userdomain
types as necessary.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/xserver.if  | 36 ---------------------
 policy/modules/system/userdomain.if | 62 +++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+), 36 deletions(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index d5d6c791..e18dc704 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -185,42 +185,6 @@ interface(`xserver_role',`
 	xserver_read_xkb_libs($2)
 
 	optional_policy(`
-		xdg_manage_all_cache($2)
-		xdg_relabel_all_cache($2)
-		xdg_watch_all_cache_dirs($2)
-		xdg_manage_all_config($2)
-		xdg_relabel_all_config($2)
-		xdg_watch_all_config_dirs($2)
-		xdg_manage_all_data($2)
-		xdg_relabel_all_data($2)
-		xdg_watch_all_data_dirs($2)
-
-		xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
-		xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
-		xdg_generic_user_home_dir_filetrans_data($2, dir, ".local")
-
-		xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents")
-		xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads")
-		xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
-		xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures")
-		xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
-
-		xdg_manage_documents($2)
-		xdg_relabel_documents($2)
-		xdg_watch_documents_dirs($2)
-		xdg_manage_downloads($2)
-		xdg_relabel_downloads($2)
-		xdg_watch_downloads_dirs($2)
-		xdg_manage_music($2)
-		xdg_relabel_music($2)
-		xdg_watch_music_dirs($2)
-		xdg_manage_pictures($2)
-		xdg_relabel_pictures($2)
-		xdg_watch_pictures_dirs($2)
-		xdg_manage_videos($2)
-		xdg_relabel_videos($2)
-		xdg_watch_videos_dirs($2)
-
 		xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
 	')
 ')

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 7ce340dc..4c902bff 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1207,6 +1207,9 @@ template(`userdom_unpriv_user_template', `
 		fs_exec_noxattr($1_t)
 	')
 
+	# Allow users to manage xdg content in their home directories
+	userdom_xdg_user_template($1_t)
+
 	# Allow users to run TCP servers (bind to ports and accept connection from
 	# the same domain and outside users) disabling this forces FTP passive mode
 	# and may change other protocols
@@ -1529,6 +1532,65 @@ template(`userdom_security_admin_template',`
 	')
 ')
 
+########################################
+## <summary>
+##	Allow user to interact with xdg content types
+## </summary>
+## <desc>
+##	<p>
+##  Create rules to allow a user to manage xdg
+##  content in a user home directory with an
+##  automatic type transition to those types.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`userdom_xdg_user_template',`
+	xdg_manage_all_cache($1_t)
+	xdg_relabel_all_cache($1_t)
+	xdg_watch_all_cache_dirs($1_t)
+	xdg_manage_all_config($1_t)
+	xdg_relabel_all_config($1_t)
+	xdg_watch_all_config_dirs($1_t)
+	xdg_manage_all_data($1_t)
+	xdg_relabel_all_data($1_t)
+	xdg_watch_all_data_dirs($1_t)
+
+	xdg_generic_user_home_dir_filetrans_cache($1_t, dir, ".cache")
+	xdg_generic_user_home_dir_filetrans_config($1_t, dir, ".config")
+	xdg_generic_user_home_dir_filetrans_data($1_t, dir, ".local")
+
+	xdg_generic_user_home_dir_filetrans_documents($1_t, dir, "Documents")
+	xdg_generic_user_home_dir_filetrans_downloads($1_t, dir, "Downloads")
+	xdg_generic_user_home_dir_filetrans_music($1_t, dir, "Music")
+	xdg_generic_user_home_dir_filetrans_pictures($1_t, dir, "Pictures")
+	xdg_generic_user_home_dir_filetrans_videos($1_t, dir, "Videos")
+
+	xdg_manage_documents($1_t)
+	xdg_relabel_documents($1_t)
+	xdg_watch_documents_dirs($1_t)
+	xdg_manage_downloads($1_t)
+	xdg_relabel_downloads($1_t)
+	xdg_watch_downloads_dirs($1_t)
+	xdg_manage_music($1_t)
+	xdg_relabel_music($1_t)
+	xdg_watch_music_dirs($1_t)
+	xdg_manage_pictures($1_t)
+	xdg_relabel_pictures($1_t)
+	xdg_watch_pictures_dirs($1_t)
+	xdg_manage_videos($1_t)
+	xdg_relabel_videos($1_t)
+	xdg_watch_videos_dirs($1_t)
+')
+
 ########################################
 ## <summary>
 ##	Make the specified type usable as